GUIDE

Perfect Forward Secrecy – how the NSA can monitor encrypted websites and how to prevent it

HTTPS (webpages that start with https://) is often touted as a secure means to access web pages, and is consequently used by almost all websites that demand a high level of security, including banks, online shopping sites and webmail sites. Unfortunately there is a big (and well known to security professionals) flaw in the way that HTTPS works, which can make it easy for the likes of the NSA to not only monitor your current communications, but to also unlock any backlogs they have ‘captured’ in the past.

The Problem

As most even vaguely tech-savvy people know, all modern browsers have built-in support for SSL and TLS (the encryption protocols on which HTTPS is built). When you go to a ‘secure’ website a padlock will show on the taskbar to let you know that you are accessing it using an encrypted connection.

The https padlock in Firefox

For the system to work, your computer and the server agree to a shared encryption key, which is different for each computer that connects to the server, and is different each time your computer connects to the server. All well and good.

However (and this is the problem), shared encryption keys are sent to the server using the server’s public encryption key, which it then decrypts using its private encryption key. If the private encryption key remains secure then there is no problem, but if someone can obtain this private encryption key then all data communications protected by keys derived from it can then be easily decrypted.

Unfortunately it is has become common practice (because it’s easy), for companies to use just one private encryption key, meaning that if this key is compromised then the attacker can access to all communications encrypted with it.

In short, the private encryption key is ‘master key’ that can be used to ‘unlock’ all data encrypted by a given company.

Where NSA spying fits in

The NSA has been doing its level best over the last few years to hoover up every scrap of data transmitted on the internet. Most data is briefly examined and, if determined harmless, discarded (at least if it originates in the US, no such rules apply for other data, although sheer practically suggests this must also be the case with non-US data).

However, when it encounters encrypted data (which is at present impossible or at least too arduous to break), it stores it for an indefinite period of time until it can decrypt it (details of NSA procedures relating to data collection can be found here).

What this is means is that all the NSA has to do to decrypt every email ever sent through Hotmail (for example), is to discover Hotmail’s private encryption key, which will give it access to every Hotmail email it has stored.

To put it another way, the NSA stores all encrypted information until it can ‘unlock’ it. The standard way that HTTPS works means there is a ‘master key’ (much like a single password for everything), which once discovered will let the NSA easily all the data it has stored from a particular service.

The Solution

Perfect Forward Secrecy (PFS, also referred to a Forwards Secrecy as ‘perfect’ is regarded as controversial in this context) is system whereby a new and unique (with no additional keys derived from it) private encryption key is generated for each session.

It is a simple idea (even if the Diffie-Hellman exchange maths is complex), and means that each session with an HTTPS service has its own set of keys (i.e. no ‘master key’).

Brilliant! So who uses Perfect Forward Secrecy?

Unfortunately almost nobody except (and this is a big except) Google. Adam Langley from Google’s security team highlighted the problem thusly:

‘Most major sites supporting HTTPS operate in a non-forward secret fashion, which runs the risk of retrospective decryption. In other words, an encrypted, unreadable email could be recorded while being delivered to your computer today. In ten years time, when computers are much faster, an adversary could break the server private key and retrospectively decrypt today’s email traffic … An adversary that breaks a single key will no longer be able to decrypt months’ worth of connections; in fact, not even the server operator will be able to retroactively decrypt HTTPS sessions.’

Google has become a champion for the PFS cause, and not only enables it by default for its own services, but has built the ability to verify that PFA is being used into its Chrome browser. In Chrome, simply click on the HTTPS padlock icon and select the ‘Connection’ tab:

Although only Chrome lets you verify that PFS is being used, PFS works with all up-to-date versions of Internet Explorer (but not on Windows XP) and Firefox. To check whether ECDHE (as used by Google) or DHE works with your browser, go here.

So why doesn’t everyone use PFS?

Given the clear security advantages offered by Perfect Forward Secrecy, the obvious question is why do more services not use it? The answer is not entirely clear, although it probably boils down to one (or a combination) of 3 things:

1. Not everyone is aware of it. This might be true in some cases, but if the security experts at Amazon, PayPal or Apple do not know of it, we would be very surprised.

2. It is deliberately not used so that organisations such as the NSA can readily access the data. One for conspiracy theorists this, although in the light of recent revelation perhaps not so far fetched.

3. It uses more processing power. The full Diffie-Hellman key exchange (EDH or DHE) can use between 15 per cent and 27 per cent more computing horsepower. While this is probably the main reason that many companies have been slow adopt PFS, this overhead can be reduced be ‘resuming’ the TLS handshake (rather than performing the full exchange).

Conclusion

The NSA is storing all encrypted data it encounters until such time as it can readily decrypt it, and way that HHTPS usually works is pretty much set up to make this easy for them.

Given its advantages, the slowness with which companies are adopting PFS demonstrates a laziness or sloppiness bordering on the sinister. Fortunately, in the wake of the NSA scandal interest is growing in PFS, and a couple of high profile articles on the subject have appeared on The Register and Netcraft websites, and SSL Labs have released a tool for assessing whether a given server supports PFS (explanatory article here).

We hope that the technical staff of popular web services take note, and commend Google for leading the way (at least in this regard).

5 responses to “Perfect Forward Secrecy – how the NSA can monitor encrypted websites and how to prevent it”

Lots of little measures are the way forward. Use a more secure OS, such as BSD or Unix-like, route all WAN data through a VPN, encrypt data locally on your machine, avoid the laziness of quick and easy passwords and use very secure passwords. But when all is said and done, even all these measures combined will only protect you from 3rd party snooping (bedroom hackers, script kiddies). If the government wants to access your data badly enough, they’ll get it.

I agree overall with you, but I do think measures can be usefully taken against blanket government surveillance. Sure, if the NSA wants to know what you up to they will, but using the ‘small measures’ (including VPN of course!) that you talk about can go a long way to preventing everything you do being monitored stored somewhere, even when no-one is out to get you…

Well for PFS (the subject of this article), nothing, as this is a server-side issue. For general protection on the internet we strongly recommend using VPN, and each VPN provider supplies the necessary software (or provides the necessary guides to setting it up on third party or existing software – basic VPN support is built into most Operating Systems). Perhaps you should start by reading our article on ‘What is a Virtual Private Network?’ (bestvpncom.wpengine.com/blog/4158/what-is-a-virtual-private-network/), followed by some of our reviews, in order to get an idea of how it all works…